!41 fix CVE-2025-30472

From: @fundawang Reviewed-by: @jxy_git Signed-off-by: @jxy_git
2025-03-27 05:46:15 +00:00 · 2025-03-27 05:46:15 +00:00 · d0ab4eeda9
commit d0ab4eeda9
parent 3c05181a2c 09ea5e3c8f
2 changed files with 71 additions and 1 deletions
--- a/backport-CVE-2025-30472.patch
+++ b/backport-CVE-2025-30472.patch
@ -0,0 +1,65 @@
+From 7839990f9cdf34e55435ed90109e82709032466a Mon Sep 17 00:00:00 2001
+From: Jan Friesse <jfriesse@redhat.com>
+Date: Mon, 24 Mar 2025 12:05:08 +0100
+Subject: [PATCH] totemsrp: Check size of orf_token msg
+
+orf_token message is stored into preallocated array on endian convert
+so carefully crafted malicious message can lead to crash of corosync.
+
+Solution is to check message size beforehand.
+
+Signed-off-by: Jan Friesse <jfriesse@redhat.com>
+Reviewed-by: Christine Caulfield <ccaulfie@redhat.com>
+---
+ exec/totemsrp.c | 18 +++++++++++++++++-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/exec/totemsrp.c b/exec/totemsrp.c
+index 962d0e2a..364528ce 100644
+--- a/exec/totemsrp.c
+++ b/exec/totemsrp.c
+@@ -3679,12 +3679,20 @@ static int check_orf_token_sanity(
+ 	const struct totemsrp_instance *instance,
+ 	const void *msg,
+ 	size_t msg_len,
+	size_t max_msg_len,
+ 	int endian_conversion_needed)
+ {
+ 	int rtr_entries;
+ 	const struct orf_token *token = (const struct orf_token *)msg;
+ 	size_t required_len;
+ 
+	if (msg_len > max_msg_len) {
+		log_printf (instance->totemsrp_log_level_security,
+		    "Received orf_token message is too long...  ignoring.");
+
+		return (-1);
+	}
+
+ 	if (msg_len < sizeof(struct orf_token)) {
+ 		log_printf (instance->totemsrp_log_level_security,
+ 		    "Received orf_token message is too short...  ignoring.");
+@@ -3698,6 +3706,13 @@ static int check_orf_token_sanity(
+ 		rtr_entries = token->rtr_list_entries;
+ 	}
+ 
+	if (rtr_entries > RETRANSMIT_ENTRIES_MAX) {
+		log_printf (instance->totemsrp_log_level_security,
+		    "Received orf_token message rtr_entries is corrupted...  ignoring.");
+
+		return (-1);
+	}
+
+ 	required_len = sizeof(struct orf_token) + rtr_entries * sizeof(struct rtr_item);
+ 	if (msg_len < required_len) {
+ 		log_printf (instance->totemsrp_log_level_security,
+@@ -3866,7 +3881,8 @@ static int message_handler_orf_token (
+ 	"Time since last token %0.4f ms", ((float)tv_diff) / 1000000.0);
+ #endif
+ 
+-	if (check_orf_token_sanity(instance, msg, msg_len, endian_conversion_needed) == -1) {
+	if (check_orf_token_sanity(instance, msg, msg_len, sizeof(token_storage),
+            endian_conversion_needed) == -1) {
+ 		return (0);
+ 	}
+ 
--- a/corosync.spec
+++ b/corosync.spec
@ -23,10 +23,11 @@
 Name: corosync
 Summary: The Corosync Cluster Engine and Application Programming Interfaces
 Version: 3.0.2
-Release: 5
+Release: 6
 License: BSD
 URL: http://corosync.github.io/corosync/
 Source0: http://build.clusterlabs.org/corosync/releases/%{name}-%{version}%{?gittarver}.tar.gz
+Patch0: backport-CVE-2025-30472.patch

 %if %{with spausedd}
 Source1: https://github.com/jfriesse/spausedd/releases/download/%{spausedd_version}/spausedd-%{spausedd_version}.tar.gz
@ -88,6 +89,7 @@ BuildRequires: readline-devel
 %else
 %setup -q -n %{name}-%{version}%{?gittarver}
 %endif
+%autopatch -p1

 %build
 %if %{with runautogen}
@ -382,6 +384,9 @@ fi
 %endif

 %changelog
+* Thu Mar 27 2025 Funda Wang <fundawang@yeah.net> - 3.0.2-6
+- fix CVE-2025-30472
+
 * Fri Oct 30 2020 jiangxinyu <jiangxinyu@kylinos.cn> - 3.0.2-5
 - change the use_vmguestlib 1 to use_vmguestlib 0